IoT : The Rise of the Machines

[This blogpost has also been published as a guest diary on isc.sans.org]

The Rise of the Machines

Our houses and offices are more and more infested by electronic devices embedding a real computer with an operating system and storage. They are connected to network resources for remote management, statistics or data polling. This is called the “Internet of Things” or “IoT“. My home network is hardened and any new (unknown) device connected to it receives an IP address from a specific range which has no connectivity with other hosts or the Internet but its packets are logged. The goal is to detect suspicious activity like data leaks or unexpected firmware updates. The last toy I bought yesterday is a Smart Plug from Supra-Electronics. This device allows you to control a power plug via your mobile device and calculate the energy consumption with nice stats. I had a very good opportunity to buy one for a very low price (25€). Let’s see what’s inside…

Read More →

Searching for Microsoft Office Files Containing Macro

MacroA quick blog post which popped up in my mind after a friend posted a question on Twitter this afternoon: “How to search for Office documents containing macros on a NAS?“. This is a good idea to search for such documents as VBA macros are known to be a good infection vector and come back regularly in the news like the Rocket Kitten campaign.

Read More →

Analysis of WordPress Login Attempts

Wordpress TargetWaiting for the new year party, this is a last quick post in 2014! It’s not the first time that I see a peak of rogue authentication requests against some of the WordPress websites. But for a while, there is a constant flood of IP addresses trying to bruteforce the WordPress login page. This kind of attack is very common and bots are constantly looking for weak passwords. Looking at the Apache (or any other webserver) log files is not relevant because they don’t log the payload of POST requests. I captured all the POST requests in a pcap file for a few weeks and today I decided to generate some stats!

Read More →

TweetSniff.py – a Python Tweets Grabber

Twitter MonitoringFor me, Twitter is not only a social network, it’s also a tool that I use daily to track and exchange news about information security with a large worldwide community of infosec profesionals. For a while, Twitter is my main source of information. When you are relying on a service like Twitter to collect information, you must have the right tools to handle the huge (and constantly increasing) amount of data. I’m using classic Twitter clients on my computers and mobile devices but it is not powerful enough. Standard options such notifications help to be alerted when a specific Tweet is posted but often we can’t be disturbed all the time (ex: while working at a customer premises or in a meeting). When you’re back to check your timeline, most Twitter clients can’t easily handle thousands of Tweets to be reviewed. In short, I need something else! When you have a lot of data to index, Elasticsearch comes immediately in mind (and the associated tools to build the ELK suite).

Read More →

The Marketing of Vulnerabilities

There is a black market for vulnerabilities, nothing new with this fact! A brand new 0-day can be sold for huge amounts of money. The goal of this blog post is not to cover this market of vulnerabilities but the way some of them are disclosed today. It’s just a reflexion I had when reading some news about the Rompager:

tweet-2015-predictions

Read More →

Automatic MIME Parts Scanning with VirusTotal

MIME-TypesHere is a Python script that I developed for my personal use: mime2vt.py. I decided to release it because I think it could be helpful for many of you. In 2012, I started a project called CuckooMX. The goal was to automatically scan attachments in emails with Cuckoo to find for potential malicious files. Unfortunately, the project never reached a milestone to use it smoothly. Maintaining a set of Cuckoo sandboxes is really a pain and consume precious computing resources, so why not use the cloud? Yeah, the evil cloud can also be useful!

I wrote a new Python script which extracts MIME types from emails and checks them against virustotal.com. I’m using it to scan my spam folder. But the domain rootshell.be has been registered in January 2001, this means that I’ve email addresses in almost all spam lists over the world! Besides scanning some private addresses, I’ve a catch-all address which sometimes receives  very interesting emails! The last update was to integrate the script with Elasticsearch to have a better reporting.

The implemented features are:

  • Use your own virustotal API.
  • MIME attachments can be dumped in a directory (for later investigations)
  • Unuseful MIME types can be excluded (ex: image/png,image/gif,image/jpeg,text/plain,text/html)
  • Results are logged via Syslog
  • Zip archives are inspected/processed
  • Virustotal results are send to an Elasticsearch instance

The primary purpose of this tool is to automate the scan of attachments for juicy files. It does NOT protect (no files are blocked). Here is an example of logged result:

Nov 18 13:48:25 marge mime2vt.py[5225]: File: 7ce782ba4e23d6cf7b4896f9cd7481cc.obj \
     (7ce782ba4e23d6cf7b4896f9cd7481cc) Score: 0/55 Scanned: 2014-11-17 08:29:14 (1 day, 5:19:11)
Dec 12 18:41:20 marge mime2vt.py[1104]: Processing zip archive: 4359ae6078390f417ab0d4411527a5c2.zip
Dec 12 18:41:21 marge mime2vt.py[1104]: File: VOICE748-348736.scr \
     (acb05e95d713b1772fb96a5e607d539f) Score: 38/53 Scanned: 2014-11-13 15:45:04 (29 days, 2:56:17)

If the file has already been scanned by Virustotal, its score is returned as well as the scan time (+ time difference). If the file is unknown, it is uploaded for analyzis. Optionally, the Virustotal JSON reply can be indexed by Elasticsearch to generate live dashboards:

ELK VirusTotal Dashboard

(Click to enlarge)

The script can be used from the command line to parse data from STDIN or (as I do) it can be used from a Procmail config file (or any other mail handling tool):

:0
* ^X-Spam-Flag: YES
{
    :0c
    | /usr/local/bin/mime2vt.py -d /tmp/mime -c /etc/mime2vt.conf
    :0
    spam
}

The script is available here. If you’ve ideas to improve it, please share!

Botconf 2014 Wrap-Up Day #3

The Botconf venueI’m just back from Nancy and it’s time to publish the wrap-up for the last day! The last night was very short for most of the attendees: 30 minutes before the first talk, the coffee room was almost empty! This third started with “A new look at Fast Flux proxy networks” by Dhia Mahjoub from OpenDNS. Hendrik Adrian was also involved in this research but he can’t be present for personal reasons. OpenDNS provides DNS services and, as we all know, DNS is critical in botnets infrastructure. They have access to a very big source of information! It was already said multiple times, the crimeware scene is an eco-system. Modern malware communicate with their C&C through proxies. That was the topic of Dhia’s presentation: Fast-Flux proxy networks.

Read More →

Botconf 2014 Wrap-Up Day #2

Botconf AttendeesHere is my wrap-up for the second day. Yesterday, we had a nice evening with some typical local food and wine then we went outside for a walk across the city of Nancy. Let’s go!

Read More →

Botconf 2014 Wrap-Up Day #1

Botconf 2014Botconf is back for a second edition! If the first one was held last year in Nantes, botnet fighters from many countries are back in Nancy to discuss again about… botnets! As the name says, Botconf is a security conference which focus only on botnets. This is a very interesting topic because everybody was/is/will be infected and take part of a botnets. The one who never found an infected device on his network, throw the first hard drive! About the attendees, 200 people joined Nancy from many countries (South-Africa, Israel, South-America, Korean, Japan, and most European countries). There is  25 talks on the schedule prepared by more than 30 top speakers.

Read More →

Detecting Suspicious Devices On-The-Fly

RadarJust a link to my guest diary posted today on isc.sans.edu. I briefly introduced a method to perform permanent vulnerability scanning of newly detected hosts. The solution is based on OSSEC, ArpWatch and Nmap.

The article is here.